Solved: How to create a field from value of an existing fi...

rwiley · ‎12-01-2016

i have this search

index=cmedia sourcetype="adspecificsnmp" 
 | rex field=_raw mode=sed "s/=,/=NA,/g"
 | rex field=_raw max_match=0 "(?(\d+\.)+)(?\d+)=(?[^,]+)"
 | eval tempString=mvzip(sP, (mvzip (sS, sV, "~")), "~")
 | mvexpand tempString
 | rex field=tempString "(?[^~]+)~(?[^~]+)~(?(.*))"
 | eval myString=stringPrefix."".stringSuffix
 | lookup ACMCodes.csv Suffix as stringSuffix OUTPUT Description as description
 | table description, stringValue

this is partial result. there are 28 values in all

     description,                  stringValue
1   Version ,                   2
2   Box ,                       0
3   Port    ,                      0
4   NodeNumber,                 1
5   PositioinofSpot,               1
6   ScheduleSpotPosition,         1
7   EventPosition,               4
8   FramesPerSec,                 30
9   Owner,                       0

i need the description as a field with value of stringValue

Version ,       Box ,         Port,            NodeNumber,         PositionofSpot,
      2 ,         0 ,           0 ,                    1 ,                     1 ,

i hope this makes sense

Flynt · ‎12-01-2016

A bit shoestringed here but what if you try

|chart list(stringValue)  over stringValue by description|stats list(*) as *|fields - stringValue

For example in the following test search -

|stats count|fields - count|eval description="Version ,", stringValue="2"|append [|stats count|fields - count|eval description="Box ,", stringValue="0"]|chart list(stringValue)  over stringValue by description|stats list(*) as *|fields - stringValue

Version and Box should show up in the same row.

View solution in original post

gcusello · ‎12-02-2016

Hi rwiley,
did you tried with the transpose command?
Bye.
Giuseppe

Flynt · ‎12-01-2016

A bit shoestringed here but what if you try

|chart list(stringValue)  over stringValue by description|stats list(*) as *|fields - stringValue

For example in the following test search -

|stats count|fields - count|eval description="Version ,", stringValue="2"|append [|stats count|fields - count|eval description="Box ,", stringValue="0"]|chart list(stringValue)  over stringValue by description|stats list(*) as *|fields - stringValue

Version and Box should show up in the same row.

rwiley · ‎12-07-2016

thanks Flynt! just what i needed. sorry to take so long on reply. got pulled to another project.

gokadroid · ‎12-01-2016

How about you try |eval {description,}=stringValue right at the end which will create a field name for each description, which it sees and then tabulate that using | table (*,)
Explanation here for the eval expression above

 index=cmedia sourcetype="adspecificsnmp" 
  | rex field=_raw mode=sed "s/=,/=NA,/g"
  | rex field=_raw max_match=0 "(?(\d+\.)+)(?\d+)=(?[^,]+)"
  | eval tempString=mvzip(sP, (mvzip (sS, sV, "~")), "~")
  | mvexpand tempString
  | rex field=tempString "(?[^~]+)~(?[^~]+)~(?(.*))"
  | eval myString=stringPrefix."".stringSuffix
  | lookup ACMCodes.csv Suffix as stringSuffix OUTPUT Description as description
  | eval {description,}=stringValue
  | table (*,)

rwiley · ‎12-01-2016

This works. but it doesn't bring it in in one row. it brings in the value for stringValue but the rest of the row is empty.

example:
Date SpotID Zone Channel
1 date

2 478393
3 CNN
4 zone

i was hoping to get this
Date SpotID Zone Channel
1 date 478393 zone CNN

How to create a field from value of an existing field?

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!